WatchGuard®Mobile User VPN
Administrator Guide
WatchGuard Mobile User VPN v7.3
Revised: 09/18/2007
ii
Mobile User VPN
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT:
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to mid-
sized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
organization grows and to deliver the industry’s best combination of security,
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
architecture protects against emerging threats effectively and efficiently and provides
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with
vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 613-6600 or visit
www.watchguard.com
.
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2007 WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Client Software: MUVPN 7.3
Management Software: WSM 9.1
Appliance Software: WFS 7.5 and Fireware 9.1
Document Version: 9.1-352-2836-002
Complete copyright, trademark, patent, and licensing
information can be found in the WatchGuard System
Manager User Guide. You can find it online at:
http://www.watchguard.com/help/documentation/
Administrator Guide iii
Contents
CHAPTER 1
Preparing a WFS Firebox to Use MUVPN
.................................................... 1
Purchasing a Mobile User VPN license ....................................................................... 2
Adding License Keys ...................................................................................................... 2
Configuring WINS and DNS Servers ........................................................................... 2
Preparing Mobile User VPN Profiles ............................................................................ 3
Defining a User for a Firebox Authenticated Group ................................................... 3
Using Extended Authentication ..................................................................................... 6
Setting Advanced Preferences ..................................................................................... 8
Configuring Services to Allow Incoming MUVPN Traffic ........................................... 9
Regenerating End-User Profiles ................................................................................. 10
Saving the Profile to a Firebox .................................................................................... 10
Distributing the Software and Profiles ........................................................................ 10
Making Outbound IPSec Connections From Behind a Firebox ............................. 11
Configuring Debugging Options for MUVPN ............................................................ 11
Terminating Tunnels on Optional or Trusted Interfaces .......................................... 12
Terminating IPSec Connections .................................................................................. 12
CHAPTER 2
Using Fireware Policy Manager to Configure MUVPN
.................... 13
Configuring WINS and DNS Servers ......................................................................... 13
Preparing Mobile User VPN Profiles .......................................................................... 14
Defining an MUVPN User Group ................................................................................ 15
Setting Advanced Preferences ................................................................................... 21
Configuring Policies to Filter MUVPN Traffic ............................................................ 22
Re-creating End-User Profiles .................................................................................... 23
Saving the Profile to a Firebox .................................................................................... 23
Distributing the Software and Profiles ........................................................................ 23
iv
Mobile User VPN
Additional MUVPN Topics ............................................................................................ 24
CHAPTER 3
MUVPN Client Preparation, Installation, and Connection
............ 27
Prepare the Remote Computers ................................................................................. 27
Installing and Uninstalling the MUVPN Client ........................................................... 34
Connect and Disconnect the MUVPN Client ............................................................ 36
Monitor the MUVPN Client Connection ..................................................................... 39
CHAPTER 4
Troubleshooting Tips for the MUVPN Client
........................................... 41
CHAPTER 5
The ZoneAlarm Personal Firewall
.................................................................. 45
ZoneAlarm Features ..................................................................................................... 45
Allowing Traffic through ZoneAlarm ........................................................................... 46
Shutting Down ZoneAlarm ........................................................................................... 47
Uninstalling ZoneAlarm ................................................................................................ 47
Administrator Guide 1
1
Preparing a WFS Firebox to Use
MUVPN
WatchGuard® Mobile User VPN (MUVPN) client uses Internet Protocol Security (IPSec) to establish a
secure connection over an unsecured network from a remote computer to your protected network.
MUVPN requires configuration of the Firebox® and the remote client computers. The Firebox adminis-
trator has detailed control of the client configuration through a group of settings known as an end-
user profile.
MUVPN users authenticate either to the Firebox or to a separate authentication server. Authentication
occurs either with shared keys or certificates.
The complete procedure for using MUVPN is documented in the rest of this guide, and in the end-user
brochures distributed for specific client operating systems. This chapter describes the Firebox configu-
ration you must do for a Firebox III or Firebox X Core that uses WFS appliance software. These proce-
dures should be done before you use the rest of this guide.
For information on how to configure a Firebox X Core or Firebox X Peak with Fireware appliance soft-
ware, see the subsequent chapter, “Using Fireware Policy Manager to Configure MUVPN,” on page 13.
For information on how to configure a Firebox SOHO 6, see the SOHO 6 User Guide. For information on
how to configure a Firebox X Edge, see the Firebox X Edge User Guide.
If you are creating an MUVPN tunnel to a SOHO 6 or Firebox X Edge, WatchGuard recommends that you
obtain a static IP address. If you use a dynamically addressed SOHO 6 or Firebox X Edge, you must
reconfigure your MUVPN client every time the address changes.
MUVPN brochures
Along with this guide, WatchGuard has compiled end-user documentation regarding the preparation,
installation, and connection of the Mobile User VPN Client as well as the use of the personal firewall
included with the MUVPN client. These brochures, customized separately for the supported Windows
operating systems, are available on our web site at
http://www.watchguard.com/help/documentation/
Purchasing a Mobile User VPN license
2
Mobile User VPN
Purchasing a Mobile User VPN license
WatchGuard® Mobile User VPN is an optional feature available for most Firebox® model lines. Although
the management software automatically includes the administrative tools to configure Mobile User
VPN, you must purchase a license for each installation of the client software to activate the feature.
A license is available through your local reseller or at:
http://www.watchguard.com/sales
Adding License Keys
The first step in configuring the Firebox for MUVPN is to type the license key or keys into the Firebox
configuration file. The Firebox automatically restricts the number of Mobile User VPN connections to
the sum of the number of seats each license key provides. From Policy Manager:
1 Select Network > Remote User. Click the Mobile User Licenses tab.
The Mobile User licenses information appears as shown below.
2 Type the license key in the text field to the left of Add. Click Add.
The license key appears in the list of client licenses configured for use with the Firebox. Repeat the
process until all your keys are added.
Encryption levels
Because strict export restrictions are put on exported high encryption software, WatchGuard® System
Manager is available with two encryption levels. You must make sure you download and use Watch-
Guard System Manager with strong encryption when you use MUVPN because the IPSec standard
requires 56-bit (medium) encryption at the minimum.
Configuring WINS and DNS Servers
RUVPN and MUVPN clients rely on shared Windows Internet Name Server (WINS) and Domain Name
System (DNS) server addresses. DNS translates host names into IP addresses, while WINS resolves Net-
BIOS names to IP addresses. These servers must be available from the Firebox® trusted interface.
Administrator Guide 3
Preparing Mobile User VPN Profiles
Make sure you use only an internal DNS server. Do not use external DNS servers.
1 From Policy Manager, select Network > Configuration. Click the WINS/DNS tab.
The information for the WINS and DNS servers appears, as shown in the following figure.
2 Type the primary and secondary addresses for the WINS and DNS servers. Type a domain name
for the DNS server.
Preparing Mobile User VPN Profiles
With Mobile User VPN, the network security administrator controls end-user profiles. Policy Manager is
used to define the name of the end user and generate a profile with the extension .wgx. The .wgx file
contains the shared key, user identification, IP addresses, and settings required to create a secure tun-
nel between the remote computer and the Firebox. This file is then encrypted with a key consisting of
eight characters or greater which is known to the administrator and the remote user. When the .wgx
file is installed in the remote client, this key is used to decrypt the file for use in the client software.
If you want to lock the profile for mobile users by making it read-only, see “Setting Advanced Prefer-
ences” on page 8.
The IPSec client allows for the deployment of the software in situations where the client does not have
a static IP address, for example, with a DSL connection. This is the default profile and allows for the con-
version of existing profiles (with the .exp extension) to the newer version (with the .wgx extension).
New keys are generated as a part of this process; they must then be distributed to the users in the field.
Defining a User for a Firebox Authenticated Group
You can use the Firebox® as an authentication server. If you want to add a new user who uses the Fire-
box to authenticate, use the following procedure to define that user. If the new user uses a third-party
Defining a User for a Firebox Authenticated Group
4
Mobile User VPN
authentication server for authentication, use the procedure described in “Using Extended Authentica-
tion” on page 6.
1 From Policy Manager, select Network > Remote User. Click the Mobile User VPN tab.
The Mobile User VPN information appears, as shown in the following figure.
2 Select Firebox Authenticated Users. Click Add. Click Next.
The Mobile User VPN Wizard - Firebox Authenticated User appears.
3 Select the User Name from the drop-down list or if the User Name is not listed, click Add New.
The Setup New User dialog box appears.
4 Type the User Name and Passphrase of the new user. Retype the Passphrase to confirm. Click
OK.
5 Type a shared key for the account and retype to confirm.
This key will be used to negotiate the encryption and/or authentication for the MUVPN tunnel.
6 If you are connecting with a Pocket PC, select the applicable check box. Click Next.
7 Select if you will use the shared key or a certificate for authentication. Click Next.
8 If you specified certificates, type the configuration passphrase of your certificate authority. Click
Next.
9 Specify the network resource to which this user will be allowed to connect.
In the default configuration, the IP address of the Trusted network appears in the Allow user access
to field.
10 If you plan to use a virtual adapter and route all of the remote user’s Internet traffic through the
IPSec tunnel, select the check box marked Use default gateway on remote network. This
option also allows you to route MUVPN traffic through the HTTP proxies on the Firebox. For more
information on this option, see “Allowing Internet connections through MUVPN tunnels” on
page 5.
To allow a connection to more than one network or computer, use the procedure that follows to change
the policy.
11 Specify a virtual IP address for this mobile user. Click Next.
This can either be an unused IP address on the network you specified in the previous step or on a
false network you have created.
12 Select an authentication method and encryption method for this mobile user’s connections.
Type a key expiration time in kilobytes or hours.
Authentication
MD5-HMAC (128-bit algorithm, SHA1-HMAC (160-bit algorithm), or AES 128, 192, or 256 bit
Administrator Guide 5
Defining a User for a Firebox Authenticated Group
Encryption
None (no encryption), DES-CBC (56-bit), 3DES-CBC (168-bit), or AES 128, 192, or 256 bit
13 Click Next. Click Finish.
The wizard closes and the user name appears on the Mobile User VPN tab. If you expand the plus
signs (+) next to the entries, you can view the information as shown in the following figure.
Modifying an existing Mobile User VPN entry
Use the Mobile User VPN wizard to generate a new .exp or .wgx file every time you want to change an
end-user profile. Reasons to change a profile include:
• Change the shared key
• Let a user connect to new computer or network
• Set the connection to one destination port, source port, or protocol
• Change the encryption or authentication parameters
1 From Policy Manager, select Network > Remote User.
2 In the list of user names and groups on the Mobile User VPN tab, click the user name or group
you want to change.
3 Click Edit.
The Mobile User VPN wizard appears, displaying the form containing the user or group name and
passphrase.
4 Use Next to step through the wizard. Configure the end-user profile to match your security
policy requirements.
5 To add a connection for a new network or host, go to the Allowed Resources and Virtual IP
Address screen in the Mobile User VPN wizard. Click Add.
You can also use this dialog box to change the virtual IP address assigned to the remote user.
6 In the Advanced Mobile User VPN Policy Configuration dialog box, use the drop-down list to
select Network or Host. Type the IP address. Use the Dst Port, Protocol, and Src Port options to
allow connections to only a specified port or protocol. Click OK.
7 Go completely through the wizard to the final screen. Click Finish.
You must click Finish to create a new .wgx file and write the modified settings to the Firebox
configuration file.
8 Click OK.
Allowing Internet connections through MUVPN tunnels
You can enable remote users with virtual adapters to connect to the Internet through an MUVPN tun-
nel. However, this option has performance implications. For better performance, you can use split tun-
neling. Split tunneling refers to a remote user or site connecting to the Internet on the same computer
as the VPN connection, without placing the Internet traffic inside the tunnel. Browsing the Web occurs
directly through the user’s ISP. However, split tunneling exposes the system to attack because the
Internet traffic is not filtered or encrypted.
Using Extended Authentication
6
Mobile User VPN
Despite the security risks of split tunneling, it offers a large performance boost compared to Internet
connection through the MUVPN tunnel. When split tunneling is not allowed or supported, Internet-
bound traffic must pass across the WAN bandwidth of the VPN gateway twice. This creates consider-
able load on the VPN gateway.
If you want the MUVPN client to be protected by an HTTP Proxy policy, you cannot use split tunneling. You
must let users connect to the Internet through the MUVPN tunnel. For more information, see “Outgoing
configuration to allow MUVPN traffic over proxies” on page 10.
One recommended solution is to allow split tunneling, but require that remote users have personal
firewalls for computers behind the VPN endpoint.
To allow users to connect to the Internet only through the MUVPN tunnel:
1 When you are running the MUVPN wizard, select the check box marked Use default gateway on
remote network on the network resource screen.
2 Create a dynamic NAT entry from VPN to the external interface. If you want to specify that only
specified MUVPN users have this ability, create entries from <virtual IP address> to the external
interface.
3 Add services as appropriate to allow outgoing connections for mobile users. Because this lets
users connect to the Internet only through the tunnel, you use the Incoming tab to configure
outgoing traffic.
Using Extended Authentication
MUVPN with extended authentication allows users to authenticate to a Windows NT or RADIUS
authentication server instead of to the Firebox. Instead of validating against its own data, the Firebox
validates users against the third-party server. No user names or passwords need to be configured on
the Firebox.
The advantage of MUVPN with extended authentication is that the network administrator does not
have to continually synchronize user login information between the Firebox and the authentication
server. MUVPN users log in to the corporate network from remote locations with the same user name
and password they use when they are at their desks inside the company.
If you want to use a third-party server for authentication, you must set an extended authentication
group on the Firebox. The user names and passwords for MUVPN users are kept on the authentication
server and not on the Firebox. Note that users actually connect and authenticate to the Firebox; the
third-party server only supplies the user database.
Administrator Guide 7
Using Extended Authentication
Define an extended authentication group
1 From Policy Manager, select Network > Remote User. Click the Mobile User VPN tab.
The Mobile User VPN information appears, as shown in the following figure.
2 Select Extended Authentication Groups. Click Add. Click Next.
The Mobile User VPN Wizard - Extended Authentication Group appears.
3 Specify a name for the extended authentication group. Specify the passphrase used to encrypt
the .
wgx file for this group. Click Next.
4 Select an authentication server for this group from the drop-down list. Click Next.
You must use the Authentication Server dialog box before you do this step. For more information,
see the WFS Configuration Guide.
5 Select if this group will use a shared key or a certificate for authentication. Click Next.
6 If you specified certificates, type the configuration passphrase of your Certificate Authority. This
can be the Firebox or a third-party CA device. Click Next.
If you specify the passphrase of the Firebox, CA must be active on the Firebox. For information on
activating the CA, see the chapter on certificates and the Certificate Authority in the Firebox
documentation.
7 Specify the network resources to which this group will be allowed to connect. To add a new
resource, click Add.
The Advanced Mobile User VPN Policy Configuration dialog box appears.
8 Use the Allow Access to drop-down list to select Network or Host. Type the IP address. Use the
Dst Port, Protocol, and Src Port options if you want the client to use only a specified port or
protocol.
Setting Advanced Preferences
8
Mobile User VPN
9 If you plan to use a virtual adapter and route all of the remote users’ Internet traffic through the
IPSec tunnel, select the check box marked Use default gateway on remote network. Click
Next.
10 Specify the virtual IP address pool (these can be virtual IP addresses on a false network). To add
addresses, click Add and type an address or address range. Click Next.
11 Select an authentication method and encryption method for the connection this group uses.
Type a key expiration frequency in kilobytes or hours.
If you type a value for kilobytes and hours, the key expires when the traffic matches one of the
criteria.
Authentication
MD5-HMAC (128-bit algorithm) or SHA1-HMAC (160-bit algorithm)
Encryption
None (no encryption), DES-CBC (56-bit), or 3DES-CBC (168-bit)
12 Click Next. Click Finish.
The wizard closes and the group name appears on the Mobile User VPN tab. If you expand the plus
signs (+) next to the entries, you can see the information as shown in the following figure.
Configuring the external authentication server
Define a group on the server that has the same name as the extended authentication remote gateway.
All MUVPN users that authenticate to the server must belong to this group.
Setting Advanced Preferences
Advanced settings include specifying a virtual adapter rule, allowing MUVPN connections on any inter-
face, and locking down the end-user profile so that users can see the settings but not change them.
Locking down the profile is the recommended setting, because users usually cannot make effective
changes to the profile without making corresponding modifications to the Firebox®.
1 Click Advanced on the Mobile User VPN tab.
The Advanced Export File Preferences dialog box appears.
2 To prevent users from changing their profile, select the Make the security policy read-only in
the MUVPN client check box.
3 To allow MUVPN tunnels from any interface, select the Allow MUVPN connects from all
interfaces check box.
4 A virtual adapter is used to assign client IP addresses and network parameters such as WINS and
DNS. Select the virtual adapter rule for the mobile user:
Disabled
(Recommended) The mobile user does not use a virtual adapter to connect to the MUVPN client.
Administrator Guide 9
Configuring Services to Allow Incoming MUVPN Traffic
Preferred
If the virtual adapter is in use or not available, address assignment is performed without it.
Required
The mobile user must use a virtual adapter to connect to the MUVPN client.
Configuring Services to Allow Incoming MUVPN Traffic
In the default configuration, MUVPN users cannot connect to computers on the trusted or optional
protected by your Firebox. To allow remote users to connect to those resources, you must add their
user names, extended authentication group (for MUVPN users who authenticate to an external server),
or the ipsec_users group (for MUVPN users authenticating to the Firebox) to service icons in the Ser-
vices Arena. Note that extended authentication groups must be added to services because these users
are not members of ipsec_users.
We recommend two methods for configuring services for MUVPN traffic: by individual service or by
using the Any service. Configuring the Any service “opens a hole” through the Firebox®, allowing all
traffic to flow unfiltered between specific hosts.
To allow traffic to be filtered by WatchGuard’s proxies, follow this procedure, with the slight Service
modifications shown at “Outgoing configuration to allow MUVPN traffic over proxies” on page 10.
By individual service
In the Services Arena, double-click a service that you want to enable for your VPN users. Set the follow-
ing properties on the service:
Incoming
- Enabled and allowed
- From: ipsec_users or extended authentication group
- To: trusted interface, optional interface, network or host IP address, or alias
Outgoing
- Enabled and allowed
- From: trusted interface, optional interface, network or host IP address, or alias
- To: ipsec_users or extended authentication group
This figure shows an example of how you might define incoming properties for a service.
Regenerating End-User Profiles
10
Mobile User VPN
Outgoing configuration to allow MUVPN traffic over proxies
The following Services configuration allows MUVPN traffic to be filtered by a proxy.
- Enabled and allowed
- From: ipsec_users, pptp_users, or extended authentication group
- To: trusted interface, optional interface, network or host IP address, or alias
Using the Any service
Add the Any service with the following properties:
Incoming
- Enabled and allowed
- From: ipsec_users or extended authentication group
- To: trusted interface, optional interface, network or host IP address, or alias
Outgoing
- Enabled and allowed
- From: trusted interface, optional interface, network or host IP address, or alias
- To: ipsec_users or extended authentication group
You cannot use the Any service to allow outgoing traffic To the external interface. Use the Outgoing service
to allow outgoing traffic To the external interface.
Make sure you save your configuration file to the Firebox after you make these changes.
Regenerating End-User Profiles
The WatchGuard® MUVPN configuration gives you the ability to regenerate end-user profiles for your
existing MUVPN users. You do not need to create a new profile when you regenerate. Regeneration
creates new end-user profiles with the same settings for the current MUVPN users.
To generate new end-user profiles for current MUVPN users, on the Mobile User VPN tab, click Regen-
erate. If you use WatchGuard System Manager v9.0 with WFS, profiles are kept in C:\Documents and
Settings\All Users\Shared WatchGuard\muvpn\[firebox.ip.address]\wgx\.
You can now distribute these end-user profiles as necessary.
Saving the Profile to a Firebox
To activate a new Mobile User profile, you must save the configuration file to the Firebox®. Select File >
Save > To Firebox.
Distributing the Software and Profiles
We recommend distributing end-user profiles by encrypted email or some other secure method. Each
client computer must have:
• Software installation package
Administrator Guide 11
Making Outbound IPSec Connections From Behind a Firebox
The packages are located on the WatchGuard® LiveSecurity® Service web site at:
http://www.watchg uard.com/support
Enter the site using your LiveSecurity Service user name and password. Click the Latest
Software link, then click either Any Firebox III Model or Any Firebox X model from the drop-
down list. Click the MUVPN Software download.
• The end-user profile
This file contains the user name, shared key, and settings that enable a remote computer to
connect securely over the Internet to a protected, private computer network. The end-user
profile has the filename user name.
wgx
• Two certificate files—if you authenticate with certificates
These are the .p12 file, an encrypted file containing the certificate, and cacert.pem, which
contains the root Certificate Authority (CA) certificate.
• User documentation
End-user brochures developed by WatchGuard are located on the WatchGuard LiveSecurity
Service web site at:
www.watchguard.com/support
Enter the site using your LiveSecurity user name and password. Click the Product
Documentation link, and then click the Firebox System link.
• Shared key
To install the end-user profile, the user is prompted for a shared key. This key decrypts the file
and imports the security policy into the MUVPN client. The key is set during the creation of the
file in Policy Manager.
Making Outbound IPSec Connections From Behind a
Firebox
It can be necessary sometimes to make an IPSec connection to a Firebox® from behind a second Fire-
box. An example is a mobile user from your company, at a different location that also has a Firebox,
who must connect to your corporate network. For the local Firebox to correctly transmit the outgoing
IPSec connection, you must set up the IPSec service. For information on services, see “Configuring Fil-
tered Services” in the WFS Configuration Guide.
Because the IPSec service enables a tunnel to the IPSec server and does not examine the traffic for sus-
picious traffic at the firewall, we recommend that you do not use this service for as a standard policy.
Configuring Debugging Options for MUVPN
WatchGuard® System Manager includes a selection of log options that you can set to get information
and help you with troubleshooting. When you enable these diagnostic options, the log message vol-
ume increases. This can have negative effects on Firebox performance. We recommend that you use
these options only to troubleshoot MUVPN problems.
1 From Policy Manager, click Network > Remote User VPN.
The Remote User setup window appears with the Mobile User VPN tab selected.
2 Click Logging.
The IPSec Logging dialog box appears.
Terminating Tunnels on Optional or Trusted Interfaces
12
Mobile User VPN
3 Click the logging options you want to activate.
For a description of each option, right-click it, and then click What’s This?
4 Click OK. Save the configuration file to the Firebox.
Terminating Tunnels on Optional or Trusted Interfaces
Because the Firebox® can accept IKE traffic (IPSec key negotiation on the optional port), the IPSec peer
can be connected directly to the optional port and can route traffic to the trusted network. To enable
this feature, on the Safenet Client’s security policy editor, set the IP address of the remote gateway to
the Firebox’s optional IP address.
Terminating IPSec Connections
To stop a VPN connection, you must restart the Firebox. If you delete only the IPSec service, active con-
nections to the Firebox do not stop.
Administrator Guide 13
2
Using Fireware Policy Manager to
Configure MUVPN
The full procedure for using MUVPN is included in this guide and in the operating system–specific
MUVPN end-user brochures. This chapter supplies the Firebox® procedures you must perform.
Like RUVPN with PPTP, when you use Mobile User VPN (MUVPN) you must configure the Firebox and
the remote client computers. However, with MUVPN you or another Firebox administrator can make
the client configuration. You make end-user profiles to set parameters for the client.
MUVPN users authenticate either to the Firebox or to another authentication server. You can authenti-
cate with shared keys or certificates.
Because strict export restrictions are put on exported high encryption software, WatchGuard® System
Manager is available with two encryption levels. You must make sure you download and use WatchGuard
System Manager with strong encryption when you use MUVPN because the IPSec standard requires 56-bit
(medium) encryption at the minimum.
Configuring WINS and DNS Servers
RUVPN and MUVPN clients rely on shared Windows Internet Name Server (WINS) and Domain Name
System (DNS) server addresses. DNS translates host names into IP addresses. WINS resolves NetBIOS
names to IP addresses. These servers must be accessible from the Firebox® trusted interface.
Make sure you use only an internal DNS server. Do not use external DNS servers.
1 From Policy Manager, click Network > Configuration. Click the WINS/DNS tab.
The information for the WINS and DNS servers appears.
2 Type a domain name for the DNS server.
3 In the DNS Servers and WINS Servers text boxes, type the addresses for the WINS and DNS
servers.
Preparing Mobile User VPN Profiles
14
Mobile User VPN
Preparing Mobile User VPN Profiles
With Mobile User VPN, the network security administrator controls end-user profiles. Policy Manager is
used to set the name of the end user and create a profile with the extension .wgx. The .wgx file con-
tains the shared key, user identification, IP addresses, and settings that are used to create a secure tun-
nel between the remote computer and the Firebox®. This file is encrypted with a key that is eight
characters or greater in length. This key must be known to the administrator and the remote user.
When the .wgx file is installed in the remote client, this key is used to decrypt the file for use in the cli-
ent software.
If you want to lock the profiles for mobile users by making them read-only, see “Setting Advanced Pref-
erences” on page 21.
Mobile users connect to the network with MUVPN client software. The MUVPN client allows you to
deploy the software in the situation where the client does not have a static IP address, such as with a
DSL connection.
This is the default profile and allows for the conversion of existing profiles (with the .exp extension) to
the newer version (with the .wgx extension). New keys are created as a part of this process. They must
then be given to the remote users in the field.
Administrator Guide 15
Defining an MUVPN User Group
Defining an MUVPN User Group
You can use this procedure if the new user group you create uses the Firebox® for authentication, or if it
will use a third-party authentication server for authentication.
1 From Policy Manager, click VPN > Remote Users.
The Remote User VPN configuration dialog box appears.
2 Click Add.
The Add Mobile User VPN Wizard appears.
3 Click Next.
4 Select an authentication server from the Authentication Server drop-down list. You can
authenticate users with the internal Firebox database (Firebox-DB) or with a RADIUS, SecurID,
LDAP, or Active Directory server. Make sure that this method of authentication is enabled in
Policy Manager (select Setup > Authentication > Authentication Servers).
See the “Authentication” chapter n the WatchGuard
®
System Manager User Guide for more
information.
5 Type a group name in the Group Name field. Make sure the name is unique among MUVPN
group names as well as all interface and tunnel names. Click Next.
The group name cannot include a dash (-). The MUVPN client cannot import files that use a dash in the
name.
6 Select the authentication method.
If you select passphrase, type and retype the passphrase in the fields. If you use an RSA
certificate, provide the address and passphrase for your server.
7 Click Next.
Defining an MUVPN User Group
16
Mobile User VPN
8 Select an option for Internet traffic. You can allow all Internet traffic between the MUVPN client
and the Internet to use the ISP of the client, or you can make all Internet traffic use the VPN
tunnel. If you make sure all Internet traffic goes through the tunnel, more processing power and
bandwidth is used. However, the configuration is more secure.
9 Add the networks and computers to which this user can have access.
Click Add to add a host IP address or a network IP address. Type an address and click OK in the
Add Address dialog box. Do this step again to add more resources.
10 Click Next.
11 Add virtual IP addresses. MUVPN users will use these IP addresses when they connect to your
network.
Click Add to add one IP address or an IP address range. Do this step again to add more virtual IP
addresses.
If High Availability is configured, you must add two virtual IP addresses for each MUVPN user.
12 Click Next. The success dialog box appears. The MUVPN profile is saved in the My Documents
folder at the location
My Watchguard\Shared WatchGuard\muvpn\ip_address\MUVPN\wgx. Click Finish.
13 The Remote User VPN Configuration dialog box appears.
• To add users to this group, use the procedure for adding users in the “Authentication” chapter in
the WatchGuard System Manager User Guide.
Configuring the external authentication server
If you create an MUVPN user group that authenticates to a third-party server, make sure you create a
group on the server that has the same name as the extended authentication remote gateway. All
MUVPN users that authenticate to the server must belong to this group.
Modifying an existing Mobile User VPN entry
After you use the Mobile User VPN wizard to create a new .wgx file, you can change the profile to:
• Change the shared key
• Add access to more hosts or networks
• Restrict access to a single destination port, source port, or protocol
• Change the Phase 1 or Phase 2 settings.
1 From Policy Manager, click VPN > Remote Users.
2 From the list of user names and groups on the Remote User VPN dialog box, click the user name
or group to change.
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Watchguard Mobile Administration Guide
-
-
-
-
-
-
-
-
-
WatchGuard Technologies Mobile VPN User manual
